SOC 1 Type II (Internal Controls over Financial Reporting)

A SOC 1 Type II report, issued under SSAE No. 18 (AT-C Section 320) by the AICPA, examines controls at a service organization that are relevant to user entities' internal controls over financial reporting (ICFR). Unlike SOC 2, which uses fixed Trust Services Criteria, SOC 1 controls are defined by the service organization based on which of its processes could affect the financial statements of its customers. SOC 1 is relevant primarily for financial processing services — payroll processors, loan servicers, claims processors, treasury management platforms, and similar services whose outputs flow directly into user entity financial records. Type II covers a period (typically 6 or 12 months), testing both design adequacy (were controls designed to achieve the control objective?) and operating effectiveness (did the controls function as designed throughout the period?).

Defining the SOC 1 control environment requires a process-mapping exercise between service organization functions and user entity ICFR categories — existence/completeness of transactions, authorization, accuracy of amounts, cutoff, and classification. Controls must address each risk of material misstatement that the service organization's processing could introduce. For a payroll processor, this encompasses input controls (ensuring only authorized payroll data enters the system), processing controls (ensuring calculations apply the correct rates and deductions without error), output controls (ensuring payroll files transmitted to banks and ledgers are complete and accurate), and change management controls (ensuring system changes do not introduce calculation errors). Each control must have a defined owner, documented execution procedure, and evidence of consistent operation across the audit period.

SOC 1 Type II reports are used by user entity auditors — specifically their external auditors conducting ICFR audits under PCAOB AS 2201 or AICPA AU-C 402 — to understand what reliance can be placed on service organization controls. A clean SOC 1 Type II with no exceptions allows the user entity's auditor to rely on the service organization's controls without performing their own substantive testing. Exceptions — findings where a control did not operate effectively during the period — must be evaluated by the user entity's auditor for impact on their ICFR assessment. Multiple exceptions in key financial processing controls can trigger the user entity's auditor to expand their own testing scope, creating ripple effects in the user entity's audit timeline and cost.

We scope SOC 1 engagements through financial transaction flow analysis, mapping service organization processes to user entity ICFR assertions and identifying the precise control points required. Our control design workshops produce SOC 1-ready control matrices with evidence collection procedures, and we implement continuous control monitoring tooling that generates audit-ready evidence logs throughout the Type II period.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.